CVE-2026-40482 Overview
CVE-2026-40482 is a SQL Injection vulnerability affecting ChurchCRM, an open-source church management system. The vulnerability exists in the FinancialService::getMemberByScanString() function where the $routeAndAccount parameter is directly concatenated into a raw SQL query without proper sanitization. This allows authenticated attackers to manipulate database queries, potentially leading to unauthorized data access and limited data modification.
Critical Impact
Authenticated attackers can exploit this SQL injection flaw to extract sensitive member and financial data from the ChurchCRM database, with potential for limited data manipulation.
Affected Products
- ChurchCRM versions prior to 7.2.0
- ChurchCRM Financial Service module
- Organizations using vulnerable check scanning functionality
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-40482 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40482
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) affects the financial services component of ChurchCRM. The vulnerable function getMemberByScanString() processes check scan strings to identify family members in the database. The core issue lies in how the $routeAndAccount variable, extracted from user-supplied scan data, is directly interpolated into a SQL query string without any input validation or parameterization.
The vulnerable code constructed a SQL query by concatenating user input directly: the $routeAndAccount value was embedded into a SELECT statement querying the family_fam table. This classic SQL injection pattern allows attackers who can supply crafted check scan strings to inject malicious SQL fragments, breaking out of the intended query structure.
The network-accessible nature of this vulnerability means attackers with low-level privileges on the ChurchCRM application can exploit it remotely. The primary impact is on data confidentiality, with attackers able to extract sensitive member information, financial records, and other data stored in the database. There is also a limited integrity impact, as certain SQL injection techniques could allow data modification.
Root Cause
The root cause is improper input validation (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). The $routeAndAccount parameter was concatenated directly into a raw SQL query string without using parameterized queries or prepared statements. This violates secure coding practices for database interactions.
Attack Vector
An authenticated attacker with access to the financial services functionality can submit a specially crafted check scan string containing SQL metacharacters. When the getMemberByScanString() function processes this input, the malicious SQL fragments are executed against the database. The attack can be performed over the network against any accessible ChurchCRM instance running a vulnerable version.
// Vulnerable code (before fix)
$sSQL = 'SELECT fam_ID, fam_Name FROM family_fam WHERE fam_scanCheck="' . $routeAndAccount . '"';
$rsFam = FunctionsUtils::runQuery($sSQL);
$row = mysqli_fetch_array($rsFam);
// Fixed code (after patch)
$family = FamilyQuery::create()->findOneByScanCheck($routeAndAccount);
// Now using Propel ORM which properly handles parameterization
Source: GitHub Commit Update
Detection Methods for CVE-2026-40482
Indicators of Compromise
- Unusual database query patterns in ChurchCRM logs, particularly involving the family_fam table
- Web application firewall alerts for SQL injection patterns in requests to financial service endpoints
- Unexpected database errors or query failures in the check scanning functionality
- Anomalous data access patterns to member or financial records
Detection Strategies
- Deploy web application firewall (WAF) rules to detect SQL injection patterns targeting ChurchCRM endpoints
- Monitor database logs for queries containing SQL injection signatures such as UNION SELECT, OR 1=1, or comment sequences (--, /*)
- Implement application-level logging to capture all requests to the FinancialService endpoints
- Review ChurchCRM access logs for unusual activity patterns from authenticated users
Monitoring Recommendations
- Enable verbose logging for the ChurchCRM financial services module
- Configure database query logging to capture queries against the family_fam table
- Set up alerts for failed authentication attempts followed by successful logins and immediate financial service access
- Monitor for bulk data extraction patterns that may indicate post-exploitation data exfiltration
How to Mitigate CVE-2026-40482
Immediate Actions Required
- Upgrade ChurchCRM to version 7.2.0 or later immediately
- Review database access logs for signs of prior exploitation
- Consider temporarily restricting access to financial service functionality until patching is complete
- Audit user accounts with access to financial features for any unauthorized activity
Patch Information
ChurchCRM has addressed this vulnerability in version 7.2.0. The fix replaces the vulnerable raw SQL query with Propel ORM's FamilyQuery::create()->findOneByScanCheck() method, which properly handles input parameterization and prevents SQL injection. The patch is available through the GitHub Pull Request #8607 and is documented in the GitHub Security Advisory GHSA-hc37-vx3w-34fg.
Workarounds
- If immediate patching is not possible, restrict network access to the ChurchCRM instance to trusted IP addresses only
- Implement WAF rules to block requests containing common SQL injection payloads to financial service endpoints
- Temporarily disable the check scanning functionality if it is not critical to operations
- Apply database-level access controls to limit the ChurchCRM database user's permissions to the minimum required
# Example: Restrict database user permissions (MySQL)
# Revoke unnecessary privileges from the ChurchCRM database user
REVOKE ALL PRIVILEGES ON churchcrm.* FROM 'churchcrm_user'@'localhost';
GRANT SELECT, INSERT, UPDATE ON churchcrm.* TO 'churchcrm_user'@'localhost';
# Remove DELETE privilege to limit potential damage from SQL injection
FLUSH PRIVILEGES;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
